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Abstract 

Shamir or Blakley secret sharing schemes are used for the authentication process in the studies 
before, but still secure group authentication and hand-over process remain as challenges in group authen¬ 
tication approaches. In this study, a novel method is proposed to provide a secure group authentication. 
The proposed approach also enables a hand-over process between groups by using Lagrange’s polynomial 
interpolation and Weil pairing in elliptic curve groups for wireless networks with mobility support. One 
of the advantages of our proposed scheme is that the computational load for a member in the group is 
lower than the other schemes in the state-of-the-art. It is also possible to authorize many users at the 
same time, not one-to-one as in the group authentication methods in current cellular networks including 
Long Term Evolution (LTE). Another advantage that is not covered in other secret sharing methods 
is that the proposed approach constitutes a practical solution for the hand-over of members between 
different groups. We have also proposed a solution for replay and man-in-the-middle attacks in secret 
exchange. 


Index Terms 

Secret Sharing, Internet of Things, Hand-Over, Group Authentication, Elliptic Curve Cryptography, 
Bilinear Mapping, Wireless Networks. 


I. Introduction 

Authentication is a process for ascertaining an entity really is who it claims to be [1], It is one 
of the most important processes in access control chain as all other security and data transmission 
operations will follow after the authentication process. There will be many interconnections 
in a wirelessly connected and distributed environment in the future. In such an environment, 
the authentication of those who have come together to form a group is not as an easy task. 
Additionally, the elements that perform this authentication process have very little resources 
and computational power. From security standpoint, the worst case is that all the devices in the 
communication network are mobile and this case will be a reality in the near future, that is, the 
number of mobile devices and the distributed networks will increase dramatically. 
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In a highly distributed environment, the users create groups within themselves according 
to certain characteristics or their coverage area. Due to the difficulty of making one-to-one 
authentication among all the members within the group, the concept of group authentication 
paradigm has recently emerged. After the group authentication process, the next step is to 
authenticate members from other groups, which is called hand-over between groups. The research 
has been mostly focused on group authentication in a wireless environment, but the hand¬ 
over problem has not yet been addressed before. Traditional authentication process includes 
one claimer that requests authentication and one prover that approves the claims. This process 
can be called one-to-one authentication. One-to-one authentication is no longer applicable in 
a distributed environment. If n users want to authenticate each other, one user should repeat 
the authentication process n — 1 times and this requires approximately 0 ( n 2 ) communications. 
Many-to-many authentication, which is referred to as group authentication is the new scheme 
for the complex, mobile and crowded networks. The main idea of group authentication is to 
authenticate n users at the same time. The communication complexity of such an authentication 
process is expected to be 0(1). 

In the next section, several related works are mentioned. In general, the researchers’ objective 
is to find a way to authenticate users who belong to the same group at the same time. But current 
mobility of the users is extremely high and it will be more in the near future. Therefore; one 
user who belongs to a group will travel to the area of other groups and will try to establish 
communication with other groups. Hand-over of users between different authentication groups 
is still a dilemma for group authentication studies. 

One of the most important problems in the group authentication methods is that the members 
of the group share their secret key with each other as plaintext messages. The same problem 
applies to hand-over methods. Any attacker can use plaintext messages to execute various attacks 
or obtain secret keys. Also attackers can use these plaintext messages to be included in the 
hand-over process. The proposed method hides the secret during the communication while 
employing ECC and bilinear mapping. Our study provides solutions for most of the gaps in 
the literature. One of them is that the researchers who studied group authentication did not take 
into consideration of hand-over of members between groups. We propose both an authentication 
method in a group, a key aggrement protocol and a hand-over method. The advantages of our 
hand-over solution are the low computational cost and its distributed structure. A node should 
only compute one elliptic curve multiplication in order to access the new group. And also in the 
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new group, any member can perform the hand-over process of new member. There is no need 
for a central authority for the hand-over process. 

Another gap in the literature is that node compromise, replay, denial of service (DOS) and man- 
in-the-middle attacks which are the vulnerabilities of wireless networks and there is no proposed 
solution to overcome these problems. Many group authentication schemes are also vulnerable 
to the man-in-the-middle attack. The attacker may interrupt the communication of two members 
within the group and can capture some credentials in order to participate authentication process. 
Our proposal provides a solution for man-in-the-middle attacks by using bilinear mapping, as 
discussed in the security analysis section of the study. Overall, our proposed approach for group 
authentication includes efficient hand-over process, resistant to replay and man-in-the-middle 
attacks, low computational cost, authentication for mobile and distributed groups. 

This paper is organized as follows. The following section provides an overview of related 
works about group authentication and hand-over. In the third section, the proposal method for 
group authentication and authentication between two nodes from different group is presented. 
The security analysis of our proposal is given in Section IV and the performance evaluation is 
provided in the following section. The study is completed by conclusion and future works. 

II. Related Work 

Authors propose a group authentication and key agreement protocol for LTE networks in [2]. 
Only one mobile end device can be authenticated by the serving network. Therefore; the protocol 
is one-to-one authentication process and it is not applicable for densely populated distributed 
networks due to the time and resource limitations. Moreover, when one mobile node wants to 
communicate with other group, the authentication process should be repeated for the other group. 

Another group authentication scheme is proposed in [3]. They use a hash function with a pre¬ 
shared key (HMAC) in order to authenticate nodes. At the second phase of the authentication 
process, each user sends a reply to the authentication point at different times. The second process 
makes the protocol one-to-one authentication scheme. 

A novel method on handover problem for wireless networks is proposed in [4]. In the 
architecture, authentication and authorization server shares the secret both with base stations 
(BS) and mobile stations (MS). In the study, each MS needs to repeat the authentication process 
with the BS to have a group authentication. But this kind of authentication takes too much time 
and resource for distributed networks. Also, there is no proposal for authentication between MSs 
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connected to the different BSs. 

HashHand [5] is another proposal to hand over nodes between access points in mobile 
networks. The proposal is a good example of implementation of ECC and bilinear mapping 
for hand-over purposes. Mobile nodes only consumes source in order to calculate bilinear 
pairing for authentication code. The most source consuming jobs are done by the authentication 
server and the structure is not group-based. Therefore; we can assume the proposal a centralised 
authentication method. 

ECC with RSA algorithm is used in [6] in order to overcome with the vulnerabilities in 
HashHand. The algorithm works faster than HashHand and uses less computational power. But 
it is still a centralised authentication method. 

Another hand-over method in centrally managed systems is the PairHand method [7]. When 
a mobile node wants to connect with another access point, it calculates a value using its private 
key and the new access point’s public key and shares it with the access point. The access point 
confirms the value with its private key and the public key of the sending mobile node. The 
method is not a group-based authentication solution. 

The same authors show that PairHand’s solution is vulnerable to session key compromise 
attack in the same year [8]. They produce a solution to the problem of Pairhand algorithm. They 
recommend that the mobile node in the Pairhand algorithm should send a timestamp before 
starting the authentication process with the access point. 

Conference key distribution system (CKDS) is proposed in order to create a secret between n 
members in a group [9]. However, this method is one-to-one rather than a many-to-many method 
and causes a huge amount of time and resource consumption. 

Authors propose a method in order to integrate control and non-payload communication link 
which is used between unmanned aerial vehicle (UAV) and ground control station (GCS) into 
LTE network in [10]. All the credentials are selected and coordinated by an authentication 
server (AuS) and UAVs have end-to-end connections with server. This proposal is also suitable 
to authenticate one UAV at once. Therefore; the method is one-to-one authentication [10]. 

The basis of distributed group authentication schemes is that a secret value is divided into 
pieces and then secret is recovered by using the pieces. The foundation of the studies in this area 
was built in 1979 by two different researchers. The Shamir secret sharing (SSS) method was 
proposed by Adi Shamir [11]. In the same year, the concept of key safeguarding was revealed 
by George Robert Blakley [12]. Both SSS and key safeguarding schemes are called threshold 
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schemes. According to key safeguarding scheme, a secret can be decomposed into shadows 
and secret can be recovered from any r or more set of the shadows. But no one can have any 
information about secret by having s or fewer set of the shadows (r — s + 1) [13]. 

Asmuth and Bloom propose a key safeguarding scheme, which is based on the Chinese 
remainder theorem (CRT). If anyone has shadows upto r, y can be computed easily using CRT 
and then secret can be recovered. But anyone who has r — 1 shadows can not recover the secret 

[13]. 

Another secret sharing method [14] is developed using Gray code and XOR operations. The 
recommended method is for a group of 7 users. 3 or 7 of these 7 group members should come 
together in order to recover the master key. Although it is seen as a secure method, it is not 
stated how to share the secret key securely between these members. By eavesdropping to these 
communications, any attacker can capture secret keys and calculate the master key. At the same 
time, there is no solution for more than 7 participants. 

Harn proposes an algorithm for group authentication in [15]. The algorithm is built based on 
the SSS. The authentication is not one-to-one type authentication as currently used authentication 
methods. The algorithm provides authentication for several nodes at the same time. This is called 
many-to-many authentication type. One of the nodes selects a random polynomical f(x) of degree 
t — 1 : f(x) = a 0 + a\x + ... + a t -\x t_1 mod p where p is a prime number. The secret for 
the communication is a 0 which is the constant term of the polynomial. The node calculates one 
secret and one private key for each nodes in the group. Then, the node distributes the keys to the 
nodes in the group. Each group calculates the secret by lagrange interpolating formula. In the 
algorithm, many-to-many authentication is done. However; there is no proposal for hand-over 
of nodes between two different groups. 

The authors propose an algorithm by using Paillier threshold cryptography in [16]. They 
compare their result with Harn group authentication method and present the results from their 
experiments. The results from [16] show that their algorithm has a better computational time 
than the Harn group authentication algorithm. But they don’t take into account the computational 
cost of public and private key encryptions. They also don’t propose any method for hand-over 
of nodes between two different groups. 

Paillier threshold cryptography method is used in [17] in order to authenticate many devices 
at once. It is not specified in the article how to distribute private keys securely. 

Chien [18] shows that the Ham schemes allow some attacks. If an attacker can get k distinct 
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values in k different trials, the secret function chosen by group manager (GM) can be solved 
and all users’ secret can be obtained. Chien proposes a new method based on SSS, ECC and 
pairing-based cryptography in order to ensure a secure group authentication process. According 
to proposal, GM selects two additive group G i, G 2 and one multiplicative group G 3 with order 
q. GM makes a generator P for G 2 public. A polynomial with degree t — 1 is chosen. The 
constant term of the polynomial will be the master secret s. The value of 


Q = s ■ P 


is computed and shared publicly. For each user, one public key Xi and one private key f(xi) 
are chosen and shared with related users secretly. Users participating the authentication phase 
agree on a random point R v on G\ in authentication phase. Then, each user computes c, = 

~W—T - X 

f(xi ) ni-1 -—— and releases c, R v . After all users release the c % - R v , each user computes 

' ' ' -L v / " rp . _ rp 


m 

^ ' Cj • R v 

i =1 


and verifies if 

G * Ry 5 ^ ^ I f f /iy;. 

\i= l J 

holds. The algorithm provides security for group authentication except node compromise and 
DOS attack. On the other hand it is resource consuming method for users. Chien also don’t 
propose any hand-over algorithm in his study as well. 



III. Proposed Method 

In our proposal, we use the same (t, m, n) logic as in Harn’s algorithm. There are n users 
in the group and m users want to authenticate each other, t is the threshold for the algorithm 
(t < m < n ). n should be greater than m and the secret can be obtained by the participation of 
m or more users. 

It should be noted at this stage that the proposed method can especially be in use for a public 
safety networks (PSN) and the Internet of Things (IoT) networks. More than one group takes 
part in our scenario. Each group has a group manager denoted by GM. GM is assumed to be 
infrastructure-based and does have relatively more computational power. All group managers can 
communicate with each other securely via traditional cryptographic methods. In addition to the 
group managers, each group has several other members which have resource or computational 
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constraints. 

Note that if the PSN environment is under consideration, GM is basically the ground radio 
stations (GRS) and the group members are UAV devices. Similarly, gateways with specific 
capabilities in an IoT environment are GMs and radio frequency identification tags can be 
considered to be other members in a group. The capabilities of tags and UAV devices are at 
a certain restricted rate. Under these considerations we propose a novel method. The proposed 
method has three stages. The first stage involves authentication which is based on ECC and SSS. 
This first stage consists of two phases, which are called the initialisation and the confirmation 
phases. The second stage, which is the key agreement stage, provides a solution to construct 
a master key for further communications. And the hand-over stage is a crucial part of group 
communication in order to authenticate the users from other groups. The details of each phase 
are presented at below. 

The Initialisation Phase: 

1) GM selects a cyclic group G and a generator P for G. 

2) GM selects a bilinear map e : G x G —* G' and an E — Encryption () and D = 
DecryptionQ algorithms. 

3) A polynomial with degree t — 1 is chosen by GM and the constant term is determined as 
master key s. 

4) GM selects one public key x, and one private key f(xi) for each user in the group U where 
each user is denote by U, for i = 1,..., n. 

5) GM computes Q = s ■ P. 

6) GM makes P, Q, e, E, D, H(s ) public and shares f(xi) with only user Ui for i = 1,..., n. 

The confirmation phase is executed after GM shares the values with the related users. There are 

two different options in the confirmation phase. One of them is that the GM will be responsible 
to confirm the group members. In the other case, that is if GM is not responsible, any member 
within the group will confirm the other members. 


The Confirmation Phase 

1) Each user computes f(x,) ■ P and sends f(x,) ■ P\\ID,i to GM and other users (ID, is the 
identification number of the user). 



Algorithm 1: Confirmation Phase 

1 Each member Compute f(xi) ■ P Share /(x,) • P\\IDi with GM and other members 


2 if GM verifies the authentication then 

3 GM computes /(xj) • P for each user. 


4 


if All values are valid then 


5 Print '’Authentication is done.” 


6 else 

7 Repeat. 


8 else 


9 Any user computes c*=/(xj) • P (—x r /(xj — x r )) for each user. 


r=l,r^i 


10 if E c, is equal to Q then 


i= 1 


11 


Print ’’Authentication is done.” 


12 else 


13 


Repeat 


2 ) 

3) 


If GM verifies the authentication, GM computes /(xj) • P for each user and verifies whether 
the values are valid or not. 

If GM is not included in the verification process, any user in the group computes 

/ m \ 


c, 


n 

r=l,r^i 



/Og) • p 


for each user. 

4) User verifies if 

m 

Ci=Q holds. 

i— 1 

5) If it holds, authentication is done. Otherwise; the process will be repeated from the initial¬ 
ization phase. 
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Both authentication by GM and any group member is given in the Algorithm 1. It is clear 
that group members should only compute one elliptic curve multiplication operation. And also 
users should send their identification numbers by concatenating with public shares in order to 
avoid confusion for further communications. Because; these public shares will be used by other 
users in further communications and in the group key agreement stage. All group users should 
know which public share belongs to which user. 

After authentication is done, users will communicate with each other by using symmetric key 
encryption. Shared key for symmetric key encryption will be calculated by senders and receivers. 

Pairing-based cryptography is used in order to compute shared key between the group mem¬ 
bers. Bilinear-map is a map which is linear in each component [19]. Let say P and Q is a point 
on group G\ and G 2 . If e(P,Q) is equal to z, e(aP,bQ ) should be z ab . And also e(aP,bQ ) is 
equal to e(bP, aQ ). 

Let set the key, K as 

K = e((y iyj )P,Q) 

where y t = f(x t ) i.e., y t is the secret of the user U t . The sender will use its own private key 
(i/i) and the value sent by receiver (yjP) and the public information 0. The receiver will obtain 
the same key by using its own private key y } , value sent by sender {y t P) and 0. 

After this stage, group members can communicate with each other by a symmetric key 
encryption method. But instead of using different keys for each user, the master key that was 
selected by GM can be used as the group key. The problem is how the users will recover the 
master key. We basicly exploit SSS and a symmetric key encryption method to share the master 
key in the group key agreement stage. 


The Group Key Agreement Stage 


1) Each user shares its own secret key f(xi ) with other users using symmetric key encryption. 

2) Each user decrypts the values and obtains m different /(.x, : ). 
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Algorithm 2: The Group Key Agreement Stage 

1 Ui computes E e{f (x i ) f (x j )P),Q)[f(x i )\ for each Uj. 

2 Each user computes 

3 Each user computes 

m m 

s> =(Yi n 

i=l r=l,r^i 

4 Each user computes H(s'). 

5 if H(s') is equal to H(s ) then 

6 Print ’’Master Key is recovered”. 

7 else 

8 Repeat. 


3) Each user computes 


4) Each user verifies 


s'=5^/og) n — 

i=l r=l,r^i 

H(s’)=H(s) holds. 


At the end of the group key agreement stage each member within group will recover the 
master key as given in the Algorithm 2. After the group key agreement process, the members 
of the group will be able to communicate with each other using master key. In addition GM 
can update X{ and /(.x,;) values remotely using master key in order to avoid the replay attacks 
mentioned in the security analysis part of the study. 

GM always knows that m user participated the authentication and x rn values were used so 
far. If GMs can coordinate the x values which they used for group authentication, they will use 
distinct x values for each user. If GMs select different x values and share their polynomial with 
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other GMs, the hand-over process can be done as given in Algorithm 3. 

In many studies, group authentication was completed at this point. However, since UAV and 
IoT nodes are constantly on the move, they will be able to access the coverage area of another 
group or the IoT gateway. Instead of repeating the entire process, it is necessary to quickly 
authenticate the new member. Therefore, each group authentication scheme should have a hand¬ 
over method. 


The Hand-Over Stage 

1) GM\ shares group-1 polynomial f(x) with GM 2 by secure channel. 

2) GM 2 shares group-2 polynomial g{x) with GM\ by secure channel. 

3) If GM 2 is responsible for hand-over, the user U, ,which wants to participate Group-2, 
computes f(xi)P 2 and shares Xi, f(xi)P 2 with GM 2 ( P 2 is public). 

4) GM 2 verifies f(xi)P 2 is correct. 

5) If it is correct, GM 2 shares the encryption of Group-2 master key ( E e (s 2 f(xi)p 2 ,Q 2 )[ s 2 \) with 
Ui. 

6) Ui computes De(f{xi)s 2 p 2 ,Q 2 )[s 2 ] an d gets master key of Group-2 for further communications 
(P 2 and Q 2 are public). 

7) If GM 2 is not responsible for hand-over, U t requests g(xi ) from GM\. 

8) (S'AT) computes fj(xi) and share with U t securely. 

9) Ui computes g(xi)P 2 . 

10) Ui shares x t and g(xi) ■ P 2 with any user of Group-2 (U 3 ). 

11) Uj computes 

m+1 m+1 

Q 2 =c^^ x i) p 2 n ' ,r ( . } 

2=1 r=\,r±i 


12) Uj verifies 

Q2—Q2 

holds. 

13) If it holds, Uj shares its public key g{xj)P 2 and the encryption of group-2 master key 

(.-^e(g(xj)g(xi)P2,Q 2 )[ s ^ w ith Ui. 



12 


14) Ui computes P > e {g{ Xi )g(x j )p 2 ,Q 2 )l s ‘ 2 \ and gets master key of group-2 for further communica¬ 
tions. 

Overall, we propose a comprehensive solution for authentication of users belong both to 
the same group and to the different groups in three different stages. A group authentication is 
accomplished with very low computational power on users in the first stage. A master key is 
recovered by all group users for a distributed environment in the second stage. In the last stage, 
a user is authenticated by the new group in very short time period. The details of the security 
and performance analysis is given in the next sections of the study. 


IV. Security Analysis 

In this session, we analyze certain possible attacks to the presented algorithms above. 
Theorem 1: Group authentication cannot be performed without t valid public and private values. 
Proof. Since the stated polynomial f(x) is of degree t — 1, it is necessary to know t distinct 
pairs of (. x,f(x )) for the formation of the polynomial again. Polynomial cannot be formed again 
by holding less than t pairs. 

Theorem 2: The attacker who capture the value of Q and P sent by the group manager publicly 
cannot have knowledge of secret s. 

Proof. Given two points P and Q on an elliptic curve group, it is hard to find the s value 
that provides a relationship like Q = s ■ P. This open problem is called Eliptic Curve Discrete 
Logarithm Problem (ECDLP). Therefore, it hard to find s by having Q and P. 

Theorem 3: The attacker who capture the value of [(xfP sent by the group members to the 
group manager cannot have knowledge of fixf). 

Proof. Due to the hardness assumption of ECDLP, it is hard to find fixf) by having f(xf)P. 
Theorem 4: The attacker can capture f (x t ) P, e and Q but can not obtain a valid symmetric 
key in order to establish a communication with user Ui. 

Proof. The attacker will need fixf to compute e(yi.yj.P,Q) but f(xj) is a secret known only 
by the user Uj. 

Theorem 5: The attacker can perform man-in-the-middle attack but can not have any credentials. 
Proof. Attacker can intercept the communication between two users and act as a real user. The 
attacker can continue to participate the process till the bilinear mapping phase. Because the 
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Algorithm 3: Hand-Over Stage 


1 if GM 2 is responsible then 

2 Ui shares f(xi)P 2 with GM 2 . 

3 GM 2 verifies f{xi)P 2 is correct. 

4 if The value is correct then 
GM 2 shares s 2 . 

6 else 


Print ’’Not valid user.” 

I_ 

8 else 

9 GM ] computes g(xj ) and share with Ui 

10 U computes g{xi)P 2 

11 U t shares x % and g(xi)P 2 with any user of group-2 (Uj). 


12 Uj computes 


m+1 m +1 

s 2=(£^») n 

i= 1 r=l 


—X r 


X i X fj . 


13 Uj computes H(s' 2 ). 


u | if H(s 2 ) is equal to II(s 2 ) then 
Print ’’Valid user”. 


15 


16 


Uj shares s 2 . 


n else 

is I Print ’’Not valid user.” 
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attacker have only f(xj)P, f{xi)P and Q, the key ( e(f(xi)f(xj)P,Q )) that is used for the 
construction of master key can not be obtained. 

Vulnerability 1: If the authentication secrets are used more than one times, attacker can perform 
replay attack in the next trail. 

Proof The attacker can eavesdrop the traffic in the first trail and capture fixfjP. In the next trail 
the attacker can send f(xi)P to GM before U t and involve to the group. In order to avoid this 
vulnerability, GMs should update credentials using master key for each group authentication. 
Vulnerability 2: The attacker can perform DOS attack for authentication process. 

Proof. Attacker can share a not-valid value when the members send their shares to user which 
will control the authentication. User can not compute a valid value and repeat the process. 
Attacker can share not-valid value again and perform denial of authentication. 

Vulnerability 3: The node compromise attack can be performed. 

Proof. If the attacker could physically capture a group member, it obtains the secret key of 
the member. As a result of the capture of the secret key, the attacker can generate a valid public 
key and share it with GM in order to authenticate itself. If it has a secret key, it also can 
communicate with the other members of the group by producing symmetric keys. 
Vulnerability 4 : The group members can perform DOS attack for confirmation point. 

Proof. If the group members send their shares with the point which is responsible for confirmation 
at the same time, the confirmation point can be locked. The solution for this kind of DOS attack 
is still a challenge in group authetication studies. 

V. Performance Analysis 

We use the time complexity approach in [18] to compare our algorithm with Ham and Chien 
schemes. Both our algorithm and Harn or Chien algorithms have a GM which is responsible 
for initialise the authentication. In a PSN or wireless sensor network, the group manager will 
be a GRS and group members will be UAVs or sensors. Therefore; group members will have 
computational and resourse restrictions. 

Due to the reasons we mentioned before, we only take into consideration the computa¬ 
tions that are made by group members. While each user in Chien algorithm should compute 
(7m+6785)T mu / g [18], each user in Harn asynchronous multiple authentication scheme should 
compute (45m+1418) T mu i q [18]. (T mulq denote the time for one multiplication in field q where 
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-*-Chien[16] -*-Harn[13] Proposed Method 


Fig. 1. The Comparison of Computational Costs in Authentication Stage 


q is 160 bits, m denote the number of user in the group.) 

In our proposal the group members should only compute one elliptic curve point multiplication 
(' Tem )• According to Chien [18], 1 T E m is roughly equal to 29 T rnuLp (T rnuLp denote the time 
for one multiplication in field p where p is 1024 bits). The security of ECC with 160-bit key 
is roughly equivalent to that of RSA with 1024-bit key or D-H algorithm with 1024-bit key. 
Therefore; 1 T mu i )P is roughly equal to 41 T rnuPq [18]. In our authentication algorithm, group 
members compute 29 T mu ^ p , which is 1189 (29x41) T mu ^ q . 

Confirmation for authentication process is done by group members in Chien and Ham schemes. 
But in our scheme, the GM or only one user is responsible for the confirmation part of the 
authentication. As you can see from the Fig. 1, our proposal is scalable with the number of 
group members. 


VI. Conclusion 

The study proposes a novel method for authentication and hand-over process on group commu¬ 
nication in wireless networks. Many-to-many authentication is used for group authentication by 
several studies but resource-constrained users were forced to compute more than their capacity. 
Group members should only compute one elliptic curve point multiplication in the proposed 
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method. Most of the resource-consuming work is done by the GM or one of the group members 
not all the group members as other proposed methods. 

The vulnerabilities which we mentioned in security analysis part are still research area for 
scientists who study on secret sharing algorithms in group communication. As far as we know 
there is no proposal for replay, node compromise and DOS attacks under the framework of secret 
sharing schemes. Our proposal provides the security for replay attacks if the GMs update the 
credentials for each authentication. 

Our study is made by assuming that the group manager or base station is infrastructure based. 
For this reason, there is no computation or resource restriction of the base station. However; 
the base stations are gradually getting mobile and infrastructure less. New methods are needed 
to deal with these challenges. 

SSS and ECC are used on the basis of the proposed algorithms. ECC method is more cost 
effective than other public key cryptography methods. ECC can be used to perform by the devices 
with resource and computational restrictions. But even this single operation creates a certain load 
on the devices. One future work is to find a cross-layer solution that will allow users to send 
their private keys secretly. 
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